show apt-key warnings in apt update

In 105503b4b470c124bc0c271bd8a50e25ecbe9133 we got a warning implemented
for unreadable files which greatly improves the behavior of apt update
already as everything will work as long as we don't need the keys
included in these files. The behavior if they are needed is still
strange through as update will fail claiming missing keys and a manual
test (which the user will likely perform as root) will be successful.

Passing the new warning generated by apt-key through to apt is a bit
strange from an interface point of view, but basically duplicating the
warning code in multiple places doesn't feel right either. That means we
have no translation for the message through as apt-key has no i18n yet.

It also means that if the user has a bunch of sources each of them will
generate a warning for each unreadable file which could result in quite
a few duplicated warnings, but "too many" is better than none.

Closes: 834973

diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index d34f59497cbe47f2765be4f56ff970711e28fa8a..199903d61165af2fce677695d39108abe48ef49f 100644 (file)
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -474,12 +474,27 @@ if [ -z "$command" ]; then
 fi
 shift
 
+find_gpgv_status_fd() {
+   while [ -n "$1" ]; do
+       if [ "$1" = '--status-fd' ]; then
+               shift
+               echo "$1"
+               break
+       fi
+       shift
+   done
+}
+GPGSTATUSFD="$(find_gpgv_status_fd "$@")"
+
 warn() {
     if [ -z "$GPGHOMEDIR" ]; then
        echo >&2 'W:' "$@"
     else
        echo 'W:' "$@" > "${GPGHOMEDIR}/aptwarnings.log"
     fi
+    if [ -n "$GPGSTATUSFD" ]; then
+       echo >&${GPGSTATUSFD} '[APTKEY:] WARNING' "$@"
+    fi
 }
 
 cleanup_gpg_home() {

diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index 2fed53a39c2147f2ef14b657ef9ae764810fb6c1..f2ef6b76e8ce537e3c7d0c7cebda617e4e9f1d82 100644 (file)
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -39,6 +39,7 @@ using std::vector;
 #define GNUPGEXPSIG "[GNUPG:] EXPSIG"
 #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG"
 #define GNUPGNODATA "[GNUPG:] NODATA"
+#define APTKEYWARNING "[APTKEY:] WARNING"
 
 struct Digest {
    enum class State {
@@ -238,6 +239,8 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
 
          ValidSigners.push_back(sig);
       }
+      else if (strncmp(buffer, APTKEYWARNING, sizeof(APTKEYWARNING)-1) == 0)
+         Warning("%s", buffer + sizeof(APTKEYWARNING));
    }
    fclose(pipein);
    free(buffer);

diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 20ca613da6467117e13eb084683d159f013a4713..e043fa8b5f41a8153c38ad7a12d281e08fe74681 100755 (executable)
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -107,6 +107,19 @@ runtest() {
 " aptcache show apt
        installaptold
 
+       if [ "$(id -u)" != '0' ]; then
+               msgmsg 'Cold archive signed by' 'Joe Sixpack + unreadable key'
+               rm -rf rootdir/var/lib/apt/lists
+               echo 'foobar' > rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
+               chmod 000 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
+               updatewithwarnings '^W: .* is not readable by user'
+               chmod 644 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
+               rm -f rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
+               testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+               installaptold
+       fi
+
        msgmsg 'Good warm archive signed by' 'Joe Sixpack'
        prepare "${PKGFILE}-new"
        signreleasefiles 'Joe Sixpack'